Sent to subscribers in September 2014
We are pleased to announce that Supplement 15 to Global Privacy and Security Law is now available. Supplement 15 contains updates to seventeen chapters.
The chapter on the Dominican Republic has been completely revised, for this supplement, due to the enactment of Data Protection Law No. 172-13. This is the Dominican Republic’s first national data protection law and the updated chapter includes an overview of the objectives and main provisions of the law.
On the European front, in April 2014 the CJEU in joined cases C293/12 and C-594/12 declared that Directive 2006/24/EC on the Retention of Data Generated or Processed by Electronic Communication Service was invalid. This decision calls into question the continued validity of the national laws that have implemented the 2006 Directive. Chapter 8, on the EU Data Retention Directive, examines these issues in more detail.
The other significant updates in Supplement 15 are detailed below.
Chapter 11—Argentina: The chapter provides an updated report on enforcement in Argentina. In addition, Buenos Aires City and the Buenos Aires Province have introduced a Do Not Call Registry where citizens can register their phone numbers to prevent unsolicited commercial messages. The Registry covers phone and text messages, as well as voice mails.
Chapter 15—Brazil: Bill of Law No. 2.126, known as the Marco Civil da Internet, became Law No. 12.965/2014. This new law focuses on the protection of personal data, as well as metadata or “connection registry” and content, or “application access data.” The new law addresses the confidentiality of these data, and contains data retention requirements. The law also contains provisions to ensure net neutrality and provisions prohibiting discrimination in services.
Chapter 17—Canada: The updates for the chapter on Canada include more comprehensive details on Canada’s new anti-spam law (CASL), which came into force on July 1, 2014 and which is considered to be the strictest law of its kind in the world. CASL applies to many ordinary business communications, specifies precise form and content requirements for messages, applies to even routine installations of computer programs, and its reach extends beyond Canada. The chapter also references a new Supreme Court decision relating to the expectation of privacy in subscriber information held by Internet Service Providers.
Chapter 20—Colombia: In Colombia, a recent decree identifies the minimum information to be provided when registering a database in the Colombia Registry.
Chapter 24—Dominican Republic: This chapter has been revised in its entirety as the Dominican Republic adopted its first national data protection law, Data Protection Law No. 172-13, which was enacted on December 13, 2013. The objective of the Law is to ensure the protection of personal data located in files, records, bank data, or other technical means and to regulate the processing of data recorded on any known means or future means, whether owned by private or public entities, in the Dominican Republic.
Chapter 66—Uruguay: A Resolution recently issued by the URCDP requires all websites that process personal data within the Uruguayan territory to publish the conditions of such treatment in accordance to the dispositions of Law No. 18.331.
Chapter 10—The Asia-Pacific Region: In early 2014, Japan became an approved country to participate in the CBPR system.
Chapter 19—China: In China, the Administrative Measures for Population Health Information (for Trial Implementation) became effective on May 5, 2014. The document stipulates several requirements on the collection, management, utilization, security, and protection of population health information, which are generated and collected in the course of service and administration by medical, health care and family planning service agencies.
Chapter 8—EU Data Retention Directive: In April 2014, the Court of Justice of the European Union in Joined Cases C 293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, declared that Directive 2006/24/EC on the Retention of Data Generated or Processed by Electronic Communication Services was invalid. This decision calls into question the continued validity of the national laws that have implemented the 2006 Directive.
Chapter 22—Czech Republic: The update describes recent developments regarding the implementation of the cookie provisions of the 2009 Directive, and the recent guidance issued by the Data Protection Authority in the event of a breach of security in the telecommunications sector. The chapter contains numerous updates throughout.
Chapter 23—Denmark: The Personal Data Protection Act has been amended to allow the transfer of personal data out of the Denmark without the prior approval of the Danish Data Protection Agency if the data importer and data exporter have executed a data transfer agreement in the format of the standard contractual clauses published by the European Commission. The use of cloud computing has become a matter of interest to the Danish Data Protection Authority. The Danish DPA recently prohibited the use of Google Apps by a school on the grounds that the school has not performed a sufficient risk assessment required under the Danish Data Protection Act.
Chapter 27—Finland: Finland has issued a Regulation specifying the means to be used, and notices to be given, in the event of a security breach in the telecommunications sector. The Regulations address the notifications to be given to FICORA, the telecom regulator, and to users and subscribers of the service. It provides guidance on how to assess the significance of a breach and specifies the information to be provided in the required notices.
Chapter 35—Ireland: The chapter on Ireland provides an update on the implementation of the cookie provisions of the 2009 Directive, and summarizes guidance provided by the Irish Data Protection Commissioner. It also reports on a proposed bill regarding the protection of whistleblowers. Finally, the chapter provides an overview of the Strategy Statement of the Data Protection Commissioner, defining the role and goals of his office for 2014-2016.
Chapter 46—The Netherlands: The Netherlands Data Protection Authority has issued Guidance on the proper access to personal data in the context of employer/employee relationship. Further, the country is working on a security breach disclosure law. The initial draft, introduced in 2013, has been significantly weakened. Its scope has been reduced to requiring the reporting of security breaches only for security breaches that are likely to have a negative impact on the individual. The security breaches that fall within the scope of the law would have to be notified to the Data Protection Authority.
Chapter 50—Portugal: In Portugal, the National Data Protection Commission has approved a new notification form to be used to request prior authorization for the use of sensitive health data in the employment setting. The use of this new form is expected to reduce the turnaround time for the issuance of the authorization for companies that use internal codes of conduct regarding the use of electronic means that comply with the National Data Protection Commission Opinion No. 1638/2013.
Chapter 54—Slovakia: In Slovakia, the Data Protection Act was amended to move from a registration regime to a notification regime. As of April 15, 2014, the notification process replaced the registration process. However, all registrations of filing systems with a simple registration before April 15, 2014 remain in place and are transferred by the Data Protection Office from registration list to notification list.
Chapter 63—Turkey: Turkey adopted two new Regulations that are inspired from the 2002 ePrivacy Directive of the European Union as part of Turkey’s positioning itself to becoming a member of the European Union. These documents include: “Regulation of Consumer Rights within Electronic Communication Sector” and “Regulation for the Processing and Protecting the Privacy of Personal Data in the Electronic Communication Sector.” Turkey also adopted amendments to its existing Law for Regulating Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications to address the protection and retention of traffic data, proxy server traffic data, and hosting provider traffic data.